Android App Penetration Testing & Frida Hooks

Beyond startActivity: Mastering Frida for Android System Service API Hooking

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Power of Runtime Manipulation in Android

Android penetration testing and security research often involve runtime analysis, with tools like Frida being indispensable. While application-level hooking (intercepting methods within a specific app’s process) is common, understanding and manipulating Android’s underlying system services opens up a much deeper realm of analysis. This article dives into advanced Frida techniques, moving beyond simple application process hooks to demonstrate how to effectively target and manipulate Android System Service APIs, using an example like `startActivity` to illustrate the process.

The Intricacies of Android System Services

Android’s architecture relies heavily on inter-process communication (IPC), primarily through the Binder mechanism, for system services. Services like `ActivityManagerService`, `PackageManagerService`, `WindowManagerService`, and many others run in their own dedicated processes (often the `system_server` process) and provide core functionalities to all applications. This multi-process nature introduces challenges for hooking:

  • Process Isolation: An application’s process is distinct from the `system_server` process. A Frida script injected into an app cannot directly access or modify methods within `system_server`.

  • Binder Proxies: When an app calls a system service method (e.g., `Context.startActivity()`), it doesn’t directly invoke the service implementation. Instead, it interacts with a local Binder proxy object, which then marshals the call and sends it over IPC to the actual service implementation in the `system_server` process.

  • Complexity: The sheer number of services and their underlying implementations (often in AOSP’s Java or native C++) can be daunting.

Our goal is to inject Frida into the `system_server` process itself, allowing us to hook the actual service implementations rather than just their client-side proxies.

Identifying Target System Services and Methods

Before hooking, we need to know what to hook. This involves a bit of detective work:

1. Listing Available Services

The `service list` command is your first stop:

adb shell service list

This provides a list of registered Binder services and their corresponding interface names (e.g., `activity` -> `android.app.IActivityManager`).

2. AOSP Source Code Analysis

The definitive source for understanding Android internals is the Android Open Source Project (AOSP) code. For example, to understand `startActivity`, we trace it:

  • Context.startActivity() calls Instrumentation.execStartActivity().

  • This then calls ActivityManager.getService().startActivity().

  • ActivityManager.getService() returns an `IActivityManager` instance, which is a Binder proxy.

  • The actual implementation lives in ActivityManagerService.java within the `system_server` process.

Locate the specific method signature in AOSP. For `ActivityManagerService`, you’ll find multiple `startActivity` overloads. A common one is:

public int startActivity(IApplicationThread caller, String callingPackage, String callingFeatureId, Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode, int flags, Bundle options) { ... }

3. Decompiling `framework.jar` and `services.jar`

For on-device analysis, you can pull and decompile these JARs:

adb pull /system/framework/framework.jar.art /tmp/framework.jar.artadb pull /system/framework/services.jar.art /tmp/services.jar.art# For newer Android versions, you might need to find the oat/vdex files and use tools like oat2dex or manually convert to dex.adb shell cp /system/framework/framework.jar /sdcard/framework.jaradb pull /sdcard/framework.jar .# Then use a decompiler like JADX to inspect

Inspecting these JARs will confirm method signatures and class hierarchies relevant to system services.

Frida for `system_server` Process Hooking

To hook system services, we need to attach Frida to the `system_server` process.

1. Prerequisites

  • Rooted Android device or emulator.

  • Frida server running on the device (usually `frida-server` for ARM/ARM64).

adb rootadb push /path/to/frida-server /data/local/tmp/frida-serveradb shell 'chmod 755 /data/local/tmp/frida-server'adb shell '/data/local/tmp/frida-server &'

2. Attaching to `system_server`

You can attach by process name or PID:

frida -U -n system_server -l your_script.js

Or find the PID first:

adb shell ps | grep system_serverfrida -U -p <PID_OF_SYSTEM_SERVER> -l your_script.js

Hands-on Example: Hooking `ActivityManagerService.startActivity`

Let’s craft a Frida script to intercept `startActivity` calls at the system level. Our goal is to log the intent and potentially modify it or block the activity launch.

`hook_startactivity.js`

console.log(

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #API Hooking #Frida #Penetration Testing #System Services

Related Technical Guides

Reverse Engineering Android Native Libraries: Uncovering Hidden Functions with Frida Interceptors

May 29, 2026

The Universal Frida Toolkit: Essential Scripts for Android SSL Pinning Bypass

May 29, 2026

Advanced Android Pentesting: Bypassing Dexguard/ProGuard Anti-Tampering with Frida

May 29, 2026